U.S. patent application number 11/556470 was filed with the patent office on 2007-05-17 for systems and methods for remote rogue protocol enforcement.
This patent application is currently assigned to AKONIX SYSTEMS, INC.. Invention is credited to Lisa Lee, Vijnan Shastri, Trung Tran.
Application Number | 20070112957 11/556470 |
Document ID | / |
Family ID | 38024053 |
Filed Date | 2007-05-17 |
United States Patent
Application |
20070112957 |
Kind Code |
A1 |
Shastri; Vijnan ; et
al. |
May 17, 2007 |
Systems and Methods for Remote Rogue Protocol Enforcement
Abstract
A user agent residing within a remote client and configured to
enforce message protocol policy is disclosed. The user agent
includes a communication monitoring element and a communication
controller element. The communications monitoring element is
configured to examine a communications connection between the
remote client and an external message server to determine if the
external message server matches a restricted server attribute. The
communications controller element is configured to work in
conjunction with the communications monitoring element to block
communications between the remote client and the external message
server when the external message server matches a restricted server
attribute unless the communications between the remote client and
the external message server are monitored by a protocol inspection
gateway. The protocol inspection gateway is configured to intercept
the communications between the remote client and the external
message server and inspect a message protocol associated with the
intercepted communications to determine if the message protocol
matches a protocol definition file, and when a match occurs, apply
a policy enforcement rule associated with the protocol definition
file that overrides aspects of the message protocol associated with
the intercepted communications.
Inventors: |
Shastri; Vijnan; (Encinitas,
CA) ; Lee; Lisa; (Truckee, CA) ; Tran;
Trung; (San Diego, CA) |
Correspondence
Address: |
BAKER & MCKENZIE LLP;PATENT DEPARTMENT
2001 ROSS AVENUE
SUITE 2300
DALLAS
TX
75201
US
|
Assignee: |
AKONIX SYSTEMS, INC.
600 B Street 18th Floor
San Diego
CA
92101
|
Family ID: |
38024053 |
Appl. No.: |
11/556470 |
Filed: |
November 3, 2006 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
60732988 |
Nov 3, 2005 |
|
|
|
Current U.S.
Class: |
709/224 |
Current CPC
Class: |
H04L 63/0272 20130101;
H04L 63/0236 20130101; H04L 41/046 20130101; H04L 41/0893 20130101;
H04L 12/4641 20130101; H04L 63/20 20130101 |
Class at
Publication: |
709/224 |
International
Class: |
G06F 15/173 20060101
G06F015/173 |
Claims
1. A user agent residing within a remote client and configured to
enforce message protocol policy, comprising: a communications
monitoring element configured to examine a communications
connection between the remote client and an external message server
to determine if the external message server matches a restricted
server attribute; and a communications controller element
configured to work in conjunction with the communications
monitoring element to block communications between the remote
client and the external message server when the external message
server matches the restricted server attribute unless the
communications between the remote client and the external message
server are monitored by a protocol inspection gateway, wherein the
protocol inspection gateway is configured to, intercept the
communications between the remote client and the external message
server, and inspect a message protocol associated with the
intercepted communications to determine if the message protocol
matches a protocol definition file, and when a match occurs,
applying a policy enforcement rule associated with the protocol
definition file that overrides aspects of the message protocol
associated with the intercepted communications.
2. The user agent residing within a remote client and configured to
enforce message protocol policy, as recited in claim 1, wherein the
restricted server attribute is that the external message server is
an instant messaging server.
3. The user agent residing within a remote client and configured to
enforce message protocol policy, as recited in claim 2, wherein the
instant messaging server is an AMERICA ONLINE INSTANT MESSAGING.TM.
server.
4. The user agent residing within a remote client and configured to
enforce message protocol policy, as recited in claim 2, wherein the
instant messaging server is a YAHOO INSTANT MESSAGING.TM.
server.
5. The user agent residing within a remote client and configured to
enforce message protocol policy, as recited in claim 2, wherein the
instant messaging server is a MICROSOFT NETWORK INSTANT
MESSAGING.TM. server.
6. The user agent residing within a remote client and configured to
enforce message protocol policy, as recited in claim 1, wherein the
restricted server attribute is that the external message server is
a peer-to-peer server.
7. The user agent residing within a remote client and configured to
enforce message protocol policy, as recited in claim 1, wherein
applying the policy enforcement rule comprises terminating a
communication connection associated with the intercepted
communications.
8. The user agent residing within a remote client and configured to
enforce message protocol policy, as recited in claim 1, wherein
applying the policy enforcement rule comprises recording
information associated with the intercepted communications.
9. The user agent residing within a remote client and configured to
enforce message protocol policy, as recited in claim 1, wherein
applying the policy enforcement rule comprises creating a log
comprising information associate with the intercepted
communications and any related communications.
10. A system for enforcing message protocol policy for a remote
client, comprising: a virtual private network agent residing within
the remote client, the virtual private network agent configured to
function as a communications proxy for the remote client; a user
agent residing within the remote client, the user agent configured
to examine every communications connection established between the
remote client and an external message server to determine whether
the external message server matches a restricted server attribute,
and when a match occurs, blocking all messages transmitted between
the remote client and the external message server unless the
messages are routed through the virtual private network agent; and
an enterprise network communicatively connected to the remote
client and the external message server, including, a virtual
private network gateway configured to be in communications with the
virtual private network agent, wherein the virtual private network
gateway is further configured to send messages to and receive
messages from the virtual private network agent via tunneling; a
protocol inspection gateway communicatively connected to the
virtual private network gateway and the external message server,
the protocol inspection gateway configured to, intercept messages
from the virtual private network gateway and the external message
server, and inspect a message protocol associated with the
intercepted message to determine if the message protocol matches a
protocol definition file, and when a match occurs, applying a
policy enforcement rule associated with the protocol definition
file that overrides aspects of the message protocol associated with
the intercepted message.
11. The system for enforcing message protocol policy for a remote
client in communications with an external message server, as
recited in claim 10, wherein the restricted server attribute is
that the external message server is an instant messaging
server.
12. The system for enforcing message protocol policy for a remote
client in communications with an external message server, as
recited in claim 11, wherein the instant messaging server is an
AMERICA ONLINE INSTANT MESSAGING.TM. server.
13. The system for enforcing message protocol policy for a remote
client in communications with an external message server, as
recited in claim 11, wherein the instant messaging server is a
YAHOO INSTANT MESSAGING.TM. server.
14. The system for enforcing message protocol policy for a remote
client in communications with an external message server, as
recited in claim 11, wherein the instant messaging server is a
MICROSOFT NETWORK INSTANT MESSAGING.TM. server.
15. The system for enforcing message protocol policy for a remote
client in communications with an external message server, as
recited in claim 10, wherein the restricted server attribute is
that the external message server is a peer-to-peer server.
16. The system for enforcing message protocol policy for a remote
client in communications with an external message server, as
recited in claim 10, wherein applying the policy enforcement rule
comprises terminating a communication connection associated with
the intercepted messages.
17. The system for enforcing message protocol policy for a remote
client in communications with an external message server, as
recited in claim 10, wherein applying the policy enforcement rule
comprises recording information associated with the intercepted
messages.
18. The system for enforcing message protocol policy for a remote
client in communications with an external message server, as
recited in claim 10, wherein applying the policy enforcement rule
comprises creating a log comprising information associate with the
intercepted messages and any related messages.
19. The system for enforcing message protocol policy for a remote
client in communications with an external message server, as
recited in claim 10, wherein the wide area network is the
Internet.
20. The system for enforcing message protocol policy for a remote
client in communications with an external message server, as
recited in claim 10, wherein the virtual private network agent and
the virtual private network gateway comprise a virtual private
network.
21. The system for enforcing message protocol policy for a remote
client in communications with an external message server, as
recited in claim 10, wherein functionalities of the virtual private
network gateway and the protocol inspection gateway are integrated
into one network gateway device.
22. A method for enforcing message protocol policy for a remote
client, comprising: establishing a communication connection between
the remote client and an external message server; inspecting the
communications connection between the remote client and the
external message server to determine if the external message server
matches a restricted server attribute; and when a match occurs,
blocking the communications connection between the remote client
and the external message server unless messages communicated via
the communications connection are intercepted by a protocol
inspection gateway, wherein the protocol inspection gateway is
configured to inspect a message protocol associated with the
intercepted message to determine if the message protocol matches a
protocol definition file, and when a match occurs, applying a
policy enforcement rule associated with the protocol definition
file that overrides aspects of the message protocol associated with
the intercepted message.
23. The management method for enforcing message protocol policy for
a remote client, as recited in claim 22, wherein the restricted
server attribute is that the external message server is an instant
messaging server.
24. The method for enforcing message protocol policy for a remote
client, as recited in claim 23, wherein the instant messaging
server is an AMERICA ONLINE INSTANT MESSAGING.TM. server.
25. The method for enforcing message protocol policy for a remote
client, as recited in claim 23, wherein the instant messaging
server is a YAHOO INSTANT MESSAGING.TM. server.
26. The method for enforcing message protocol policy for a remote
client, as recited in claim 23, wherein the instant messaging
server is a MICROSOFT NETWORK INSTANT MESSAGING.TM. server.
27. The method for enforcing message protocol policy for a remote
client, as recited in claim 22, wherein the restricted server
attribute is that the external message server is a peer-to-peer
server.
28. The method for enforcing message protocol policy for a remote
client, as recited in claim 22, wherein applying the policy
enforcement rule comprises terminating a communication connection
associated with the intercepted messages.
29. The method for enforcing message protocol policy for a remote
client, as recited in claim 22, wherein applying the policy
enforcement rule comprises recording information associated with
the intercepted messages.
30. The method for enforcing message protocol policy for a remote
client, as recited in claim 22, wherein applying the policy
enforcement rule comprises creating a log comprising information
associate with the intercepted messages and any related messages.
Description
APPLICATIONS FOR CLAIM OF PRIORITY
[0001] This application claims the benefit of U.S. Provisional
Application No. 60/732,988 filed Nov. 3, 2005. The disclosure of
the above-identified application is incorporated herein by
reference.
CROSS REFERENCE TO RELATED APPLICATIONS
[0002] This application is related to U.S. patent application Ser.
No. 10/167,228, entitled "Extensible Gateway for Protection against
Rogue Protocols," filed Jun. 10, 2002, U.S. patent application Ser.
No. 10/459,408, entitled "Extendible Gateway for Protection Against
Rogue Protocols," filed Jun. 10, 2003, and U.S. patent application
Ser. No. 10/459,111, entitled "Extendible Gateway for Protection
Against Rogue Protocols," filed Jun. 10, 2003, each incorporated
herein by reference as if set forth in full.
BACKGROUND
[0003] 1. Field of the Invention
[0004] The embodiments disclosed in this application generally
relate to protection against rogue protocols, such as for example
Instant Message (IM) protocols, and the like.
[0005] 2. Background of the Invention
[0006] When a portable computing device communicates remotely with
a public server through the Internet directly or through an
enterprise network connection, both the computing device and the
enterprise network becomes vulnerable to attempts at intrusion by
malicious users. Intrusion might occur by a person seeking to
wrongfully access the portable computing device or the enterprise
network, or might be due to a program (i.e., virus) attempting to
wrongfully access resources available on the portable computing
device or the enterprise network. For example, a computer virus
might be sent from a public server and if allowed to operate on the
portable computing device, can commandeer resources on the portable
computing device or the enterprise network when the portable
computer is logged on. For another example, a malicious user can
generate a set of messages in an attempt to deny service to, or
otherwise have an effect on the portable computing device or the
enterprise network, such as preventing access by the portable
computing device to resources on the enterprise network, or by
preventing access by others to that portable computing device.
[0007] It is therefore sometimes desirable to apply policy rules
for handling the message traffic of a portable computing device,
particularly when those messages use a message protocol that might
not be directed to business aspects of the network. For example, a
number of message protocols have been developed recently that are
primarily for personal use, but which often make their way into
proprietary networks, such as enterprise networks, and which are
subjected to possible abuses. These message protocols include, for
example, instant message (IM) protocols, peer-to-peer (P2P) and
other file sharing protocols, interactive game protocols,
distributed computing protocols, HTTP Tunneling, and ".NET" or
"SOAP" methods of computer program interaction. Some of the
possible abuses that can result from these message protocols
entering the enterprise network include accidental delivery of a
computer virus to a client device within the enterprise network,
communication of sensitive or proprietary information between a
portable computing device outside the enterprise network and a
client device on the enterprise network.
[0008] In a conventional situation, client devices on the
enterprise network, and behind the enterprise network's firewall
generate various communications with external devices (i.e.,
message servers, home personal computers, etc.) using various
communications protocols, such as IM. In certain embodiments
described in the related applications referenced above, a protocol
enforcement gateway residing on the enterprise network ensures that
the appropriate protocol enforcement rules, or policies, such as
security enforcement policies are enforced for all of the
communications generated by the client devices with the external
devices. When a client device is portable and accesses the
enterprise network remotely, the protocol enforcement gateway maybe
unable to control communication traffic generated by the user by
ensuring enforcement of all communication protocol policies. For
example, in a situation where the portable client device is
operated in a remote location (i.e., cafe, airport, restaurant,
etc.) that is external to the enterprise network, there is a need
to enforce communication protocol policies for all non-business
related communications generated by the portable client device.
SUMMARY
[0009] Methods and systems for ensuring enforcement of enterprise
network protocol enforcement policies for portable computing
devices are disclosed.
[0010] In one aspect, a user agent residing within a remote client
and configured to enforce message protocol policy is disclosed. The
user agent includes a communication monitoring element and a
communication controller element. The communications monitoring
element is configured to examine a communications connection
between the remote client and an external message server to
determine if the external message server matches a restricted
server attribute. The communications controller element is
configured to work in conjunction with the communications
monitoring element to block communications between the remote
client and the external message server, when the external message
server matches the restricted server attribute unless the
communications between the remote client and the external message
server are monitored by a protocol inspection gateway.
[0011] The protocol inspection gateway is configured to intercept
the communications between the remote client and the external
message server and inspect a message protocol associated with the
intercepted communications to determine if the message protocol
matches a protocol definition file, and when a match occurs, apply
a policy enforcement rule associated with the protocol definition
file that overrides aspects of the message protocol associated with
the intercepted communications.
[0012] In a different aspect, a system for enforcing message
protocol policy for a remote client is disclosed. The system
includes a virtual private network agent, a user agent and an
enterprise network. The virtual private network agent resides
within the remote client and is configured to function as a
communications proxy for the remote client. The user agent resides
within the remote client, the user agent is configured to examine
every communications connection established between the remote
client and an external message server to determine whether the
external message server matches a restricted server attribute, and
when a match occurs, blocking all messages transmitted between the
remote client and the external message server unless the messages
are routed through the virtual private network agent.
[0013] The enterprise network is communicatively connected to the
remote client and the external message server. The external network
includes a virtual private network gateway and a message protocol
inspection gateway. The virtual private network is configured to be
in communications with the virtual private network agent and to
send and receive messages from the virtual private network via
tunneling. The message inspection gateway is communicatively
connected to the virtual private network gateway and the external
message server.
[0014] The protocol inspection gateway is configured to intercept
messages from the virtual private network gateway and the external
message server and inspect a message protocol associated with the
intercepted message to determine if the message protocol matches a
protocol definition file, and when a match occurs, apply a policy
enforcement rule associated with the protocol definition file that
overrides aspects of the message protocol associated with the
intercepted message.
[0015] In another aspect, a method for enforcing message protocol
policy for a remote client is disclosed. A communications
connection is established between the remote client and an external
message server. The communication connection is inspected to
determine if the external message server matches a restricted
server attribute. When a match occurs, the communications
connection is blocked unless all messages communicated via the
connection are first intercepted by a protocol inspection gateway.
The protocol inspection gateway is configured inspect a message
protocol associated with the intercepted message to determine if
the message protocol matches a protocol definition file, and when a
match occurs, apply a policy enforcement rule associated with the
protocol definition file that overrides aspects of the message
protocol associated with the intercepted message.
[0016] These and other features, aspects, and embodiments of the
invention are described below in the section entitled "Detailed
Description."
BRIEF DESCRIPTION OF THE DRAWINGS
[0017] For a more complete understanding of the principles
disclosed herein, and the advantages thereof, reference is now made
to the following descriptions taken in conjunction with the
accompanying drawings, in which:
[0018] FIG. 1 is a block diagram illustration of a system for
enforcing message protocol policy for a remote client, in
accordance with one embodiment.
[0019] FIG. 2 is a detailed illustration of the functional elements
of a user agent, in accordance with one embodiment.
[0020] FIG. 3 is a flow chart of a method for enforcing message
protocol policy for a remote client, in accordance with one
embodiment.
DETAILED DESCRIPTION
[0021] An invention is described for methods and systems for
ensuring enforcement of enterprise network protocol enforcement
policies for portable computing devices. It will be obvious,
however, that the present invention may be practiced without some
or all of these specific details. In other instances, well known
process operations have not been described in detail in order not
to unnecessarily obscure the present invention.
[0022] As used herein, an enterprise network can include one or
more internal networks such as a local area network (LAN), wide
area network (WAN), locally switched network, or publicly switched
network, some other communication technique, or some combination
thereof, by which devices locally coupled to the enterprise network
can communicate with each other. A virtual private network (VPN) is
private communications network often used within a company, or by
several companies or organizations, to communicate confidentially
over a publicly accessible network (e.g., Internet, etc.).
[0023] Most VPNs operate using the concept of "tunneling" which is
the transmission of data through a public network in such a way
that routing nodes in the public network are unaware that the
transmission is part of a private network. Tunneling is generally
done by encapsulating the private network data and protocol
information within the public network protocol data so that the
tunneled data is not available to anyone examining the transmitted
data frames. Typically, the basic tunneling infrastructure nodes
are a VPN client and a VPN gateway. The VPN client normally resides
within the client computer while the VPN gateway is interfaced with
the private network that the VPN client "tunnels" through the
publicly accessible network to access.
[0024] It will be understood that the term remote device can refer
to laptops, personal data assistants (PDAs), smartphones, handheld
computers, or any other device that can be used to remotely access
an enterprise network and generate communications. Furthermore, the
term communications refers to any signal generated by a device
carrying information intended to be received by another device. For
example, this may include but is not limited to instant messaging
(IM) communications, voice over Internet protocol (IP)
communications, e-mail, etc.
[0025] FIG. 1 is a block diagram illustration of a system for
enforcing message protocol policy for a remote client, in
accordance with one embodiment. As depicted herein, the system 100
includes a remote client 102, an external message server 110, a VPN
gateway 112, a protocol inspection gateway 114, an enterprise
network 116, and a system administrator console 118. The VPN
gateway 112 and protocol inspection gateway 114 are both coupled to
the enterprise network 116 and are communicatively connected to
each other via the enterprise network 116. The VPN gateway 112 and
protocol inspection gateway 114 can be embodied as a hardware
device (e.g., server, router, etc.) or a software module depending
on the requirements of the particular application. In one
embodiment, the VPN gateway 112 and protocol inspection gateway 114
are each embodied in separate hardware devices. For example, the
functionalities of the VPN gateway 112 can be embodied in a system
router that is in communications with the VPN client 102, whereas
the functionalities of the protocol inspection gateway 114 are
embodied in a server that is coupled to the enterprise network 116.
In another embodiment, the functionalities of the VPN gateway 112
and the protocol inspection gateway 116 are combined into one
integrated network gateway device that is coupled to the enterprise
network 116.
[0026] The remote client 102 hosts both a user agent 104 and a VPN
client 106. In one embodiment, the user agent 104 is
communicatively interfaced with the VPN client 106 such that the
user agent 104 may detect the functional status (i.e., operational,
non-operational) of the VPN client 106 and the VPN gateway 112.
Both the user agent 104 and the VPN client 106 can be created using
any number of programming languages including Practical Extraction
and Report Language (PERL), JAVASCRIPT.TM., Extensible Markup
Language (XML), PYTHON.TM., or RUBY.TM.. However, it should be
appreciated that essentially any programming language can be used
to create a user agent 104 or VPN client 106 as long as the
language can effectuate the required functions of those software
objects.
[0027] As depicted, when a remote client 102 communicates with an
external message server 110, the client 102 may choose to use one
of two alternative types of communications connections; an
unrestricted communication connection 103 or a virtual private
network (VPN) connection 101. As used herein, an unrestricted
communication connection 103 is a communications connection between
the remote client 102 and external message server 110 that bypasses
inspection by the protocol inspection gateway 114. Generally, when
a remote client communicates over an unrestricted communication
connection 103 the client 102 is unprotected from various types of
malicious network attacks (e.g., cross-site scripting attacks,
computer viruses, unauthorized user access, denial of service
attacks, etc.) that may be initiated by other computers on the
network or the external message server 110.
[0028] In one embodiment, the unrestricted communications
connection 103 linking the remote client 102 and the external
message server 110 is through a publicly accessible wide area
network (WAN) connection such as the Internet 111. In another
embodiment, the unrestricted connection 103 linking the remote
client 102 and the external message server 110 is through an local
area network (LAN) connection. It should be appreciated that the
unrestricted connection 103 can be through any type of network or
combination of network types as long as the connection bypasses
inspection by the protocol inspection gateway 114 and may be
utilized to transmit data (e.g., messages, files, etc.) between the
remote client 102 and the external message server 110.
[0029] Continuing with FIG. 1, the user agent 104 is configured to
monitor and control any unrestricted communication connection 103
established between the remote client 102 and an external message
server 110. When the user agent 104 determines that the
unrestricted communications connection 103 is with an external
message server 110 that matches a restricted server attribute, the
user agent 104 is configured to block continued transmission of
messages between the remote client 102 and external message server
110 over the unrestricted communications connection 103. In one
embodiment, the restricted server attribute is based on the message
server type. For example, IM servers (e.g., AMERICAN ONLINE INSTANT
MESSAGING.TM. SERVER, YAHOO INSTANT MESSAGING.TM. SERVER, MICROSOFT
NETWORK INSTANT MESSAGING.TM. SERVER, etc.), peer-to-peer message
(P2P) servers (e.g., BITTORRENT.TM., etc.), interactive game
servers, and other types of file sharing servers. In another
embodiment, the restricted server attribute is based on the IP
address of the external message sever 110. For example, message
servers with IP addresses that match one of a previously compiled
list of IP addresses of suspect message servers. In still another
embodiment, the restricted server attribute is based on the Open
System Interconnection (OSI) layer that the external message server
110 is using to communicate with the remote client 104. It should
be understood, however, that the restricted server attributes
discussed above are presented for illustrative purposes only and
are not intended to be limiting. Essentially any attribute of an
external message server 110 can be used as a restricted server
attribute as long as the attribute may be monitored and recognized
by the user agent 104.
[0030] The restricted server attributes are stored in a system
configuration file that is configured to be fully updatable. In one
embodiment, the system configuration file is stored within the user
agent 104. In another embodiment, the system configuration file is
stored on a separate and independent memory space (e.g., hard drive
partition, etc.) on the remote client 102. It should be
appreciated, however, that the system configuration file may be
stored in any location or form (e.g., read-writable compact disk,
random access memory, tape media, etc.) as long as the user agent
104 can access the restricted server attributes while monitoring
the unrestricted communication connection 103 and the file may be
updated.
[0031] The system configuration file may be updated manually (i.e.,
by a user of the remote client 102 or a system administrator using
the system administration console 118) or automatically by the user
agent 104 through some triggering event. In one embodiment, the
user agent 104 updates the system configuration file with
restricted server attributes from a master configuration file
stored on the system administrator console 118 whenever the agent
104 detects any unauthorized attempts (i.e., tampering) to modify
the system configuration file. In another embodiment, the user
agent 104 updates the system configuration file with restricted
server attributes from a master configuration file stored on the
system administrator console 118 whenever the remote client 104
accesses the enterprise network 106. In still another embodiment,
the system configuration file is automatically updated by the user
agent 104 using the master configuration file stored on the system
administrator console 118 in accordance with a set interval
schedule (e.g., time, etc.).
[0032] Still with FIG. 1, when the user agent 102 blocks data
communications through the unsecured communications connection 103,
the remote client 103 is left with only the option of communicating
with the external message server 110 over the VPN connection 101. A
VPN connection 101 is established whenever the remote client's 104
VPN client 106 successfully negotiates a communications connection
with the VPN gateway 112 via communications tunneling. In this
fashion, the VPN client 106 acts as a defacto communications proxy
for the remote client 102. As described above, tunneling involves
encapsulating the private network data and protocol information
exchanged between the VPN client 106 and VPN gateway 112 within the
public network protocol data so that the tunneled data is not
available to anyone examining the transmitted data frames.
[0033] The VPN gateway 112 is configured the authenticate the VPN
client 106 prior to availing itself to communications with the VPN
client 106. In one embodiment, the VPN client 106 is authenticated
based on client credentials (i.e., information provided by remote
client 102) relating to a distinguishing characteristic of the
authorized user of the VPN client 106 (e.g., biometric information,
device configuration, etc.). In another embodiment, authentication
is based on something that only the authorized user of the VPN
client 106 possesses (e.g., Smartcard, security token, software
token, etc.). In still another embodiment, authentication is based
on something that only the authorized user of the VPN client 106
knows (e.g., a password, a pass phrase, personal identification
number, keystroke sequence, etc.), or some combination of the
three. It should be understood that the examples of client
credentials depicted herein are used for illustration purposes only
and are not meant to limit the types of information that the client
credentials may be based on.
[0034] All communications (e.g., messages, files, etc.) that are
transacted between a remote client 102 and an external message
server over a VPN connection 101 are first intercepted by a
protocol inspection gateway 114 that is coupled to the enterprise
network 116. The protocol inspection gateway 114 is configured to
apply policy rules to select types of messages that are exchanged
between the remote client 104 and the external message server 110
over the VPN connection 101. For example, the protocol inspection
gateway 114 is configured to recognize messages using certain
targeted protocols (i.e., IM protocols, peer-to-peer message
protocols, etc.) and apply certain policy rules to them. Each
targeted protocol is associated with a specific policy rule that
includes specific policy enforcement actions to take with regards
to the intercepted message using the targeted protocol. In one
embodiment, the policy enforcement action involves terminating the
connection associated with the message. In another embodiment, the
enforcement policy involves recording certain information
associated with the message. In still another embodiment, the
policy enforcement involves logging information associated with the
intercepted message and any related messages. It should be
appreciated, however, that the policy enforcement actions may take
any form as long as the action can be executed using the protocol
inspection gateway 114 and does not compromise the integrity of the
enterprise network 116.
[0035] Remaining with FIG. 1, in one embodiment, the protocol
inspection gateway 114 includes a logging module that can be
configured to provide the capability for logging messages as they
are intercepted by the gateway 114. In other words, the logging
module provides a capability for maintaining a persistent log of
all messages exchanged across the protocol inspection gateway 114.
Using the database, custom searches can be conducted and reports
generated.
[0036] As discussed above, the protocol inspection gateway 114 is
configured to apply certain policy rules to intercepted messages
using certain target protocols. The protocol inspection gateway 114
monitors and applies policy rules to message traffic through the
use of a set of enforcement rules that are based on a set of
protocol definition files. Each protocol definition file can define
a pattern of values associated with a message that uses a target
protocol. Examples of these patterns include communications port
values and certain character strings on the message header. Thus,
the protocol inspection gateway 114 is configured to match the
pattern of values of a monitored message with the pattern of values
in a protocol definition file to identify messages that use a
particular targeted protocol.
[0037] There can be an individual protocol definition file for
every class or subtype of target protocol. Each protocol definition
file is associated with a particular policy rule or set of policy
rules. Moreover, the set of enforcement rules and protocol
definition files can be expanded as necessary in response to
different target protocols and different ways for handling target
protocols. The set of enforcement rules and protocol definition
files may be updated using the system administrator console 118
that is communicatively linked to the protocol inspection gateway
114. In one embodiment, the system administrator console 118 is
configured to allow only an authorized network administrator to
add, modify, or change the set of enforcement rules and protocol
definition files. For further explanation of how the protocol
inspection gateway functions see U.S. patent application Ser. No.
10/167,228, entitled "Extensible Gateway for Protection against
Rogue Protocols," filed Jun. 10, 2002, U.S. patent application Ser.
No. 10/459,408, entitled "Extendible Gateway for Protection Against
Rogue Protocols," filed Jun. 10, 2003, and U.S. patent application
Ser. No. 10/459,111, entitled "Extendible Gateway for Protection
Against Rogue Protocols," filed Jun. 10, 2003, which are
incorporated herein by reference.
[0038] FIG. 2 is a detailed illustration of the functional elements
of a user agent, in accordance with one embodiment. As depicted
herein, the user agent 104 includes two distinct functional
elements: a communications monitoring element 202 and a
communications controller element 204. It should be appreciated
that both elements are depicted here as separate and distinct
entities for the purpose of abstracting the functionality of the
user agent 104 without intent to limit the number or types of
functional elements that comprise a user agent 104. The
communications monitoring element 202 is configured to monitor all
communications connections established by the remote client with an
external message server to determine if the external message server
matches a restricted server attribute in the same fashion as that
described above. If a match occurs, the communications monitoring
element 202 alerts the communications controller element 204. If a
match does not occur, the communications monitoring element allows
the communications between the remote client and external message
server to proceed unhindered. As discussed above, the restricted
server attributes utilized by the communications monitoring element
202 may be updated with the restricted server attributes from a
master configuration file stored on the system administrator
console 118 in accordance with certain triggering events.
[0039] In one embodiment, the communications controller element 204
is configured to block all further communications between the
remote client and the external message server unless the
communication is first routed through and intercepted by a protocol
inspector gateway (by way of a VPN network connection). In another
embodiment, the communications controller element 204 is configured
to automatically establish a VPN network connection with an
enterprise network hosting a protocol inspection gateway and route
all communications traffic between the remote client and external
message server through the VPN network connection.
[0040] FIG. 3 is a flow chart of a method for enforcing message
protocol policy for a remote client, in accordance with one
embodiment. Illustrations depicting the system and user agent
utilized in this method are shown in FIGS. 1 and 2, respectively.
Method 300 begins with operation 302 where a communications
connection between a remote client and an external message server
has been established. As discussed above, the connection may either
be an unsecured communications connection or a VPN connection. The
method 300 continues to operation 304 where the communications
connection between the remote client and the external message
server is inspected to determine if the external message server
matches a restricted server attribute. As discussed above, examples
of restricted server attributes may include but is not limited to
certain message server types such as IM servers (e.g., AMERICAN
ONLINE INSTANT MESSAGING.TM. SERVER, YAHOO INSTANT MESSAGING.TM.
SERVER, MICROSOFT NETWORK INSTANT MESSAGING.TM. SERVER, etc.),
peer-to-peer message (P2P) servers (e.g., BITTORRENT.TM., etc.),
interactive game servers, and other types of file sharing
servers.
[0041] The method 300 proceeds to operation 306 where, when a match
occurs, the communications connection between the remote client and
the external message server is blocked unless the messages are
intercepted by a protocol inspection gateway. The protocol
inspection gateway is configured to inspect a message protocol
associated with the intercepted message and determine if the
message protocol matches a protocol definition file, and when a
match occurs, apply a policy enforcement rule associated with the
protocol definition file that overrides aspects of the message
protocol associated with the intercepted message.
[0042] The embodiments, described herein, can be practiced with
other computer system configurations including hand-held devices,
microprocessor systems, microprocessor-based or programmable
consumer electronics, minicomputers, mainframe computers and the
like. The embodiments can also be practiced in distributing
computing environments where tasks are performed by remote
processing devices that are linked through a network.
[0043] It should also be understood that the embodiments described
herein can employ various computer-implemented operations involving
data stored in computer systems. These operations are those
requiring physical manipulation of physical quantities. Usually,
though not necessarily, these quantities take the form of
electrical or magnetic signals capable of being stored,
transferred, combined, compared, and otherwise manipulated.
Further, the manipulations performed are often referred to in
terms, such as producing, identifying, determining, or
comparing.
[0044] Any of the operations that form part of the embodiments
described herein are useful machine operations. The invention also
relates to a device or an apparatus for performing these
operations. The systems and methods described herein can be
specially constructed for the required purposes, such as the
carrier network discussed above, or it may be a general purpose
computer selectively activated or configured by a computer program
stored in the computer. In particular, various general purpose
machines may be used with computer programs written in accordance
with the teachings herein, or it may be more convenient to
construct a more specialized apparatus to perform the required
operations.
[0045] The systems and methods described herein can also be
embodied as computer readable code on a computer readable medium.
The computer readable medium is any data storage device that can
store data, which can thereafter be read by a computer system.
Examples of the computer readable medium include hard drives,
network attached storage (NAS), read-only memory, random-access
memory, CD-ROMs, CD-Rs, CD-RWs, magnetic tapes, and other optical
and non-optical data storage devices. The computer readable medium
can also be distributed over a network coupled computer systems so
that the computer readable code is stored and executed in a
distributed fashion.
[0046] Certain embodiments can also be embodied as computer
readable code on a computer readable medium. The computer readable
medium is any data storage device that can store data, which can
thereafter be read by a computer system. Examples of the computer
readable medium include hard drives, network attached storage
(NAS), read-only memory, random-access memory, CD-ROMs, CD-Rs,
CD-RWs, magnetic tapes, and other optical and non-optical data
storage devices. The computer readable medium can also be
distributed over a network coupled computer systems so that the
computer readable code is stored and executed in a distributed
fashion.
[0047] Although a few embodiments of the present invention have
been described in detail herein, it should be understood, by those
of ordinary skill, that the present invention may be embodied in
many other specific forms without departing from the spirit or
scope of the invention. Therefore, the present examples and
embodiments are to be considered as illustrative and not
restrictive, and the invention is not to be limited to the details
provided therein, but may be modified and practiced within the
scope of the appended claims.
* * * * *